Skip to content

Commit 97bc7e3

Browse files
author
edvraa
committed
check for sensitive property name
1 parent 7ab91bb commit 97bc7e3

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

javascript/ql/src/semmle/javascript/security/InsecureCookie.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,8 @@ module Cookie {
5353
exists(string val |
5454
(
5555
val = expr.getStringValue() or
56-
val = expr.asExpr().(VarAccess).getName()
56+
val = expr.asExpr().(VarAccess).getName() or
57+
val = expr.(DataFlow::PropRead).getPropertyName()
5758
) and
5859
regexpMatchAuth(val)
5960
)

javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,4 @@
1414
| test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
1515
| test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
1616
| test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
17+
| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |

javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,17 @@ app.get('/a', function (req, res, next) {
9696
res.end('ok')
9797
})
9898

99+
app.get('/a', function (req, res, next) {
100+
let options = {
101+
maxAge: 9000000000,
102+
httpOnly: false,
103+
}
104+
options.httpOnly = false;
105+
let o = { session: "blabla" }
106+
res.cookie(o.session, 'value', options); // BAD, var name likely auth related
107+
res.end('ok')
108+
})
109+
99110
app.get('/a', function (req, res, next) {
100111
let options = {
101112
maxAge: 9000000000,

0 commit comments

Comments
 (0)